Overview

Internet throughput for clients behind a Kerio Control firewall may drop drastically — sometimes to as low as 2 Mbps — even though the ISP connection tests normally when the firewall is bypassed. CPU and memory on the appliance typically remain low, and disabling security features (IPS, antivirus, content filter) does not help.

This is a known software-level issue related to GRO (Generic Receive Offload), a network-interface optimization that can conflict with Kerio Control’s packet processing. Disabling GRO on the WAN and LAN interfaces restores normal throughput.

Symptoms

• Download speeds are severely capped for all clients behind the firewall, while the ISP circuit tests normally when connected directly.
• System health shows normal CPU and RAM usage.
• Disabling IPS, antivirus, content filter, or bandwidth management does not improve speeds.

Solution

Step 1: Rule out the ISP and confirm the issue is firewall-wide

1. Run a speed test with a device connected directly to the modem or ISP handoff, bypassing Kerio Control. If speeds are normal, continue.
2. Verify that multiple clients (wired and wireless, different subnets if applicable) all show the same low throughput.
3. Check Status → System Health to confirm CPU and RAM are not saturated.

Step 2: Disable GRO on all traffic-carrying interfaces

1. Log in to Kerio Control Web Administration.
2. Navigate to Configuration → Interfaces.
3. Double-click your Internet (WAN) interface to edit it.
4. Open the Advanced tab.
5. Set GRO (Generic Receive Offload) to Off.
6. Click OK.
7. Repeat steps 3–6 for every LAN interface that carries client traffic.
8. Click Apply to save changes.

For additional background on GRO and Kerio Control, see Configuring GRO Setting for Maximum Bandwidth in Kerio Control. 

Step 3: Reboot and test

1. Reboot the appliance from Status → System Health → Reboot.
2. After the appliance comes back up, verify DHCP, gateway ping, and WAN connectivity are working.
3. Run speed tests from at least two internal clients to confirm throughput is restored.

Step 4: Verify stability

• Monitor for 24–48 hours to confirm the improvement holds.
• Re-check each interface’s Advanced tab after reboot to confirm GRO remains Off. (As of 9.5.0 Patch 3, GRO settings persist across reboots, but it is good practice to verify.)
• Take a fresh configuration backup once stability is confirmed.

Summary

• Root cause: GRO (Generic Receive Offload) can conflict with Kerio Control’s packet processing, severely throttling throughput.
• Fix: Disable GRO on all WAN and LAN interfaces via Configuration → Interfaces → (edit) → Advanced → GRO = Off, then reboot.
• Scope: Applies to all Kerio Control deployment types (hardware, software, virtual) running 9.4.2 and later.

FAQ

Q: Does the GRO setting persist after a reboot or power cycle?

Yes. As of Kerio Control 9.5.0 Patch 3, GRO settings configured in the Web Admin UI are saved to the configuration and persist across reboots. It is still good practice to verify the setting after a reboot by revisiting each interface’s Advanced tab.

Q: Should disabling GRO be treated as a permanent fix or a temporary workaround?

It can remain in place permanently. GRO is a network-stack optimization that is not required for Kerio Control to function correctly. Disabling it removes a known source of throughput degradation with no negative side effects on firewall features or security.

Q: What should I do if throughput drops again after the fix has been applied?

First, confirm GRO is still set to Off on all interfaces and that GFI AppManager remains disabled. If both are correct and system health (CPU, RAM, logs) is normal, collect an export of the Error and Warning logs from Status → Logs along with interface status details, and contact support for deeper analysis.